SANS Stormcast Wednesday May 28th 2025: Securing authorized_keys; ADAuditPlus SQL Injection; Dero Miner vs Docker API
SANS Internet Stormcenter Daily Cyber Security Podcast (Stormcast)
SANS ISC Handlers
4.9 • 696 Ratings
🗓️ 28 May 2025
⏱️ 7 minutes
🧾️ Download transcript
Summary
SSH authorized_keys File
One of the most common techniques used by many bots is to add rogue keys to the authorized_keys file, implementing an SSH backdoor. Managing these files and detecting unauthorized changes is not hard and should be done if you operate Unix systems.
https://isc.sans.edu/diary/Securing%20Your%20SSH%20authorized_keys%20File/31986
REMOTE COMMAND EXECUTION ON SMARTBEDDED METEOBRIDGE (CVE-2025-4008)
Weatherstation software Meteobridge suffers from an easily exploitable unauthenticated remote code execution vulnerability
https://www.onekey.com/resource/security-advisory-remote-command-execution-on-smartbedded-meteobridge-cve-2025-4008
https://forum.meteohub.de/viewtopic.php?t=18687
Manageengine ADAuditPlus SQL Injection
Zoho patched two SQL Injection vulnerabilities in its ManageEngine ADAuditPlus product
https://www.manageengine.com/products/active-directory-audit/cve-2025-41407.html
https://www.manageengine.com/products/active-directory-audit/cve-2025-36527.html
Dero Miner Infects Containers through Docker API
Kaspersky found yet another botnet infecting docker containers to spread crypto coin miners. The initial access happens via exposed docker APIs.
https://securelist.com/dero-miner-infects-containers-through-docker-api/116546/
Transcript
Click on a timestamp to play from that location
| 0:00.0 | Hello and welcome to the Wednesday, May 28, 2025 edition of the Sands International Center's StormCast. |
| 0:08.5 | My name is Johannes Ulrich, and this episode brought to you by the Sands EDU |
| 0:13.6 | bachelor's degree program in Applied Cybersecurity is recorded in Jacksonville, Florida. |
| 0:22.2 | Well, today we have a quick diary, nothing really too exciting and special, but it's really |
| 0:27.3 | about the security of SSH servers, in particular the authorized keys file. Now, we all know |
| 0:34.8 | that we should use keys for authentication, not passwords, but the number one thing that I sort of see all these bots doing is that after the preach a Unix system, they will add a key of their choosing to the authorized keys file, giving them essentially a backdoor into the |
| 0:56.4 | system. So securing the file certainly sounds like a good idea, in particular on some of these |
| 1:03.1 | IoT and smaller Unix systems. I think the number one lesson here is that if you want to manage these keys centrally, |
| 1:13.8 | you don't have to put them into the user's home directory. |
| 1:17.4 | There is a simple configuration with SSH, at least with OpenSH that pretty much everybody is using, |
| 1:25.1 | that allows you to store all the key files for all the users into a special directory. |
| 1:32.8 | You basically just use the username or the numeric user ID as the name of the file for each user. |
| 1:38.3 | And that way you have a centrally managed access. |
| 1:41.3 | The files only need to be readable by the users. |
| 1:43.8 | They don't need to be writable the users. They don't need to be |
| 1:44.5 | writable by users. So that way, an attacker should no longer be able to modify these files |
| 1:52.3 | at well, at least not all of these bots and such that we see performing this particular |
| 1:58.6 | technique. And of course, that also makes them monitoring these files a lot simpler |
| 2:03.6 | to detect any changes, in particular unauthorized changes, of course, early. |
| 2:09.6 | Also, talking about IoT vulnerabilities, |
| 2:12.5 | there is a good example here that I saw in a blog post from One Key. One Key makes software to find security |
| 2:20.9 | vulnerabilities. So one of those software scanning softwares. And they took a look at Meteorbridge. |
... |
Transcript will be available on the free plan in 8 days. Upgrade to see the full transcript now.
Disclaimer: The podcast and artwork embedded on this page are from SANS ISC Handlers, and are the property of its owner and not affiliated with or endorsed by Tapesearch.
Generated transcripts are the property of SANS ISC Handlers and are distributed freely under the Fair Use doctrine. Transcripts generated by Tapesearch are not guaranteed to be accurate.
Copyright © Tapesearch 2025.